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Abstract: Recently, two certificateless three-party authenticated key 
agreement protocols were proposed, and both protocols were claimed they 
can meet the desirable security properties including forward security, key 
compromise impersonation resistance and so on. Through cryptanalysis, we 
show that one neither meets forward security and key compromise imperson- 
ation resistance nor resists an attack by an adversary who knows all users' 
secret values, and the other cannot resist key compromise impersonation 
attack. Finally, we propose improved protocols to make up two original pro- 
tocols' security weaknesses, respectively. Further security analysis shows that 
our improved protocols can remove such security weaknesses. 

Key words: key compromise impersonation attack; forward security; 
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1. Introduction 

Authenticated key agreement (AKA) is one of the fundamental crypto- 
graphic primitives. It allows two or more users to generate a shared session 
secret key over an open network with each other, and all the users are as- 
sured that only their intended peers can know the shared session secret key. 
AKA protocols can be realized in the traditional public-key infrastructure 
(PKI) setting, identity-based cryptography setting or certificateless cryp- 
tography setting 01 . Certificateless authenticated key agreement (CLAKA) 
protocols would be more appealing due to its advantages in eliminating the 
heavy certificate management burden in PKI-based AKA protocols and key 
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escrow problem in identity-based AKA protocols. By far, many researchers 
have been investigating secure and efficient certificateless two-party authen- 
ticated key agreement protocols (e.g., j3-12|). A research direction in AKA 
protocol aims to generalize two-party AKA setting to multi-party AKA set- 
ting, among which the three-party AKA protocols receive much interest. In 
2009, Gao et al. [l3| proposed the first three-party CLAKA protocol. Since 
then, several three-party CLAKA protocols (e.g., IJ], the XCQ-11 protocol 
13, the XCL-12 protocol [l6|) tiave been proposed. 



In this paper, we analyze two three-party CLAKA protocols [15|, ll6| and 
propose two improved protocols. Firstly, we point out that the XCQ-11 
protocol [is] is subjected to three attacks including forward security attack, 
key compromise impersonation attack, and an attack by adversaries who 
know all users' secret values, and then propose a simple improvement to 
remove these fiaws. Secondly, we find that the XCL-12 protocol [l6| cannot 
resist key compromise impersonation attack and propose an efficient protocol 
which can resist this attack. 

The remaining part of this paper is organized as follows. Some preliminar- 
ies are introduced in Section 2. A review and three attacks and an improved 
protocol of the XCQ-11 protocol are given in Section 3. A review and two 
attacks and an improved protocol of the XCL-12 protocol are given in Section 
4. Finally, some conclusions are drawn in Section 5. 



2. Preliminaries 

We now briefiy review some basic concepts used in this paper, including 
bilinear pairings and some security properties. 

2. 1 . Bilinear pairing 

Let Gi be an additive group generated by P with prime order q and G2 
be a multiplicative group of the same order. A map e : Gi x d — ^ G2 is said 
to be a bilinear pairing if the following three conditions hold true: 

1. Bilinearity: for all a, be Z*, e{aP, bP) = e(F, P)''\ 

2. Non-degeneracy: e{P, P) ^ 1^2- 

3. Computability: e is efficiently computable. 
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2.2. Security properties 

It is desirable for three-party authenticated key agreement protocols to 
possess the following security properties. Let A, B and C be three partici- 
pants that execute the protocol correctly. 

• Known-key security: The session key is not compromised in the face of 
adversaries who have learned some other session keys. 

• Key compromise impersonation (KCI) resistance: If an adversary 
reveals A's long-term private key, the adversary cannot impersonate any 
other participant to A without the participant's private key. 

• Forward secrecy (FS): Compromising of long-term private keys of one 
or more of the participants should not affect the secrecy of previously es- 
tablished session keys. A protocol has forward secrecy if the secrecy of 
previously established session keys is not affected when some but not all of 
the participants' long-term private keys are corrupted. A protocol has per- 
fect forward secrecy if the secrecy of previously established session keys is 
not affected when all participants' long-term private keys are compromised. 

• Unknown key share (UKS) resistance: If one participant A thinks 
that he/she is sharing a key with the other participants (e.g., B and C), 
then it should not happen that A is actually sharing that key with the 
adversary, which is not B or C. 



3. The XCQ-11 protocol and its analysis and improvement 



In this section, we first review the XCQ-11 protocol ISj, then give three 



attacks on the XCQ-11 protocol, and finally propose a simple countermeasure 
to resist these attacks. 



3.1. Review of the XCQ-11 protocol 

The XCQ-11 protocol [l5| requires a KGC and consists of four phases: 
system setup, partial key extraction, user key generation and key agreement 
phases. 

• Setup: Given a security parameter G Z, the algorithm works as follows. 

(1) It runs the parameter generator on input k to generate a prime g, two 
groups Gi, G2 of prime order g, a generator P of Gi, and an admissible 
pairing e : Gi x Gi — )• G2. 
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(2) It chooses a master-key x G Z* and computes Pq = xP. 

(3) It chooses three cryptographic secure hash functions Hi : {0, 1}* — )■ 
Z*, H2 : Gi ^ Z* and H3 : {0, 1}*^ x x G2 ^ {0, 1}^ Fi- 
nally the KGC's master-key x is kept secret and the system parameters 
{q, Gi, G2, e, P, Po, Hi, H2, H3} are published. 

• PcirtialKeyGen: Given a user's identity IDjj e {0, 1}*, KGC first chooses 
at random qu = Hi{IDu). It then sets this user's partial private key 

su = ^^^^ P and transmits it to user IDu secretly. 

It is easy to see su is actually a signature on IDu for the key pair {Pq, x), 
and user IDu can check its correctness by checking whether e{su,Po + 
quP) — e(P, P). For convenience, here we define Qu — Po + quP- 

• UserKeyGen: User IDu picks randomly xu £ Z* as his/her user secret 
key usku, and computes his/her public key as upku = xuQu- After that, 
the user IDu computes the full private key Su = xv+nliupku) ^^' 

• Key Agreement: Assume that an entity A with identity ID a has full 
private key Sa and public key upk^-, an entity B with identity IDb has 
private key Sb and public key upkB, and an entity C with identity IDq has 
private key Sc and public key upkc- The message flows and computations 
of a protocol run are described below. 

(1) A, B, C: choose a,b,ce Z*. 



(2) A^ B : 


'■ Tab 


= a{upkB 


+ H2{upkB)QB) 


A^C: 


Tac 


= a{upkc 


+ H2{upkc)Qc) 


B^ A: 


'■ Tba 


= b{upkA 


+ H2{upkA)QA): 


B^C 


■ Tbc 


— h{upkc 


+ H2{upkc)Qc) 


C A: 


TcA 


= c{upkA 


+ H2{upkA)QA): 


C ^ B 


■ TcB 


= c{upkB 


+ H2{upkB)QB) 



(3) A:kA = e(P, PYe{TBA, SaMTca, Sa) = e{P, P)«+^+-, 
B:kB = e{P, Pfe{TAB, Sb^Tcb, Sb) = e{P, P)-+b+c^ 
C:kc = e(P, P)^e{TAc, Sc)e{TBc, Sc) = e(P, P)«+''+^ 

After the protocol has finished, all three entities share the session key, 
which is computed as 

K ^ Hs{IDA\\IDB\\IDc\\upkA\\upkB\\upkc\\TAB\\TAc\\TBA\\TBc\^^^^ 

3.2. Failure to provide forward secrecy 

Suppose that As long-term private key Sa and S's long-term private 
key Sb have been compromised. In the following, we show that an adver- 
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sary A with the knowledge Sa and Sb can obtain previously established 
session keys. Assume adversary A has eavesdropped the transferred mes- 
sages Tba, Tca, Tab, Tcb,Tac and Tbc- From the values Tba, Tab, Tca, Sa 
and Sb, adversary A can compute k = e{TAB, SB)e{TBA, SA)e{TcA, Sa) = 
e{P, P)"+^+"^ from which he can construct the session key. Thus the XCQ-11 
protocol cannot provide forward secrecy. 

3.3. KCI attack by a common adversary 

Suppose that A's long-term private key Sa and S's long-term private 
key Sb have been compromised. Obviously, A is now able to impersonate 
the corrupted party to any other party. However, it is also desirable that 
knowledge of the full private key does not enable A to impersonate other 
entities to the corrupted party. Accordingly, in a three-party key agreement 
protocol, a KCI attack can be an attack whereby A, with A's long-term 
private key and 5's long-term private key at hand, attempts to establish a 
valid session key with A and B by masquerading as another legitimate entity 
(say C). 

A detailed description of KCI attack by a common adversary against the 
XCQ-11 protocol is outlined below {A{C) denotes that A is impersonating 
C). 

(1) A,B,AiC): choose a,b,c' G Z*. 

(2) B: Tab = a{upkB + H2{upkB)QB), 

A A{C) : Tac = a{upkc + H2{upkc)Qc), 
B ^ A : Tba = h{upkA + H2{upkA)QA), 
B ^ A{C) : Tbc = b{upkc + H2{upkc)Qc), 
A{C) -4 A : Tca = c'{upkA + H2{upkA)QA), 
A{C) ->B:TcB = c'iupkB + H2{upkB)QB)- 

(3) A and B compute the session key according to the protocol specification. 
A{C) computes the session key as follows. 

kA{c) = e(P, PYKTab, Sb^Tba, Sa) = e{P, 

K = Hs{IDA\\IDB\\IDc\\upkA\\upkB\\upkc\\TAB\\TAc\\TBA\\TBc\\TcA\\TcB 
e(P, P)«+*+'=') 

So A successfully agrees a session key K with entity A and B while A and B 
believes he is sharing the key with entity C. Thus KCI attack by a common 
adversary is successful. 
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3.4- An attack by an adversary who knows all users' secret values 

An adversary who knows all users' secret values can compute the session 

key of the XCQ-11 protocol with the following method. 

From the values Tab,Tac, Tea, Tbc, Tca, Tcb, upkA, upkB, upkc, qA,qB,qc,XA, xb 

and Xc, the adversary can compute the following three points 

a{xB + H2{upkB))QB 



- xo+H^Vpfcc) "^^^ + H2{upkc))Qc) 
= I^Wb - aQc) 
= l^ilB - qc)aP 

_ 1 / 1 rp 1 p \ 

QA-qc^ 3:A+H2{upkA) xc+H2{upkc) ' 

„p _ 1 / 1 p 1 p \ 

qA~qB^XA+H2iupkA) '^^ XB+H2{upkB) (^^>- 

Then the adversary can compute k = e{aP + bP + cP, P) = e{P, pY+'^+'^ 
from which he can obtain the session key. 

3.5. Our improvement 

The reason why the XCQ-11 protocol can suffer from the above three 
attacks is that it lacks message origin authentication in the XCQ-11 protocol. 
To make up security weaknesses, we give a simple improvement which uses 
signatures to achieve message origin authentication and has the same design 



idea as protocols [ij, ll7 



• Setup: This phase is the same as that in Section 3.1 except that a se- 
cure signature scheme from pairings is chosen and is modified to : 
{0,1}*^ X G? X G2 ^ {0,1}^ 

> PartialKeyGen and UserKeyGen: These two phases are the same as 
those in Section 3.1. 

» Key Agreement: This phase is the same as that in Section 3.1 except 
that the following message flows and computations of a protocol run. 

(1) A, B, C: choose a,b,ce Z*. 

(2) A B,C : {Ta = aP, cr^}, where cr^ is the signature on T4 and upkA 
under A's full private key Sa- 

B ^ A,C : {Tb = bP, as}, where as is the signature on Tb and upkB 
under B's full private key Sb- 

C ^ A, B : {Tc = cP, ac}, where ac is the signature on Tc and upkc 
under C's full private key Sc- 
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(3) A verifies the validity of cr^ and ac- If both are vahd, A computes 
kA = eiTB,Tcr. 

B verifies the vahdity of a a and ac- If both are valid, B computes 
kB = e{TA,Tcf. 

C verifies the validity of a a and a^. If both are valid, C computes 
kc = e{TA,TBY. 

After the protocol has finished, all three entities share the session key, which 
is computed as 

K = H3iIDA\\IDB\\IDc\\upkA\\upkB\\upkc\\TA\\TB\\Tc\\e{P,Pr^^^ 
With this modification, the improved protocol can withstand the above 
attacks. Reasons are easily described as follows. 

The resulting session key of our improved protocol is independent of the 
participants' full private keys as the full private keys are used only to gen- 
erate signatures. That is to say, compromising the full private keys of all 
participants is no help to compute the session key. Hence, the improved 
protocol provides perfect forward secrecy and resist the attack described in 
Section 3.4. Furthermore, an adversary who wants to impersonate a user 
must generate a correct signature, however, he cannot generate a correct sig- 
nature without the user's full private key. Thus the improved protocol can 
resist KCI attack by a common adversary. 



4. The XCL-12 protocol and its analysis and improvement 



In this section, we first review the XCL-12 protocol [16[, then show that 
the XCL-12 protocol is vulnerable to two types of KCI attacks, and finally 
propose an efficient countermeasure to resist these attacks. 

4.1. Review of the XCL-12 protocol 



The XCL-12 protocol [16| is described as follows 



• Setup: Given a security parameter G Z, the algorithm works as follows. 

(1) It runs the parameter generator on input k to generate a prime q, two 
groups Gi, G2 of prime order q, a generator F of Gi, and an admissible 
pairing e : Gi x Gi — > G2. 

(2) It chooses a master-key x & Z* and computes Pq = xP. 
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(3) It chooses two cryptographic secure hash functions Hi : {0, 1}* x Gi — >■ 
Z*andi/2 : {0, l}*^xGi°xG^ ^ {0,1}^ Finally the KGC's master-key 
X is kept secret and the system parameters {g, Gi, G2, e, P, Pq, -f^i, -^^2} 
are published. 

• PartialKeyGen: Given a user's identity IDjj G {0, 1}*, KGC first chooses 
at random ru G Z*, and computes Ru = ruP,h = Hi{IDu\\Ru), and 
sif — {ru + hx)~^. It then sets this user's partial private key {su, Ru} and 
transmits it to user IDu secretly. 

It is easy to sec that user IDu can validate his/her partial private key by 
checking whether the equation su{Ru + Hi{I Du\\Ru)Pq) = P holds. The 
partial key is valid if the equation holds, and vice versa. 

• UserKeyGen: User IDu picks randomly xu G Z* as his/her user secret 
key usku, and computes his/her public key as upku — xuP- 

• Key Agreement: Assume that an entity A with identity I Da has full 

private key {sa, Ra, xa) and public key upkA, an entity B with identity 
IDb has private key {sb,Rb,Xb) and public key upks, and an entity C 
with identity IDq has private key {sc, Rc, ^c) and public key upkc- The 
message flows and computations of a protocol run are described below. 

(1) A, B, C: choose a,b,ce Z*. 

(2) A^B,C:{IDA,upkA,RA} 

B^A: {IDb, upkB, Rb, Tba = KRa + Hi{IDa\\Ra)Po)} 
C^A: {IDc, upkc, Rc, Tca = c(i?A + Hi{IDa\\Ra)Po)} 
A^B:Tab^ a{RB + Hi{IDb\\Rb)Po) 
A^C:Tac^ a{Rc + Hi{IDc\\Rc)Po) 
B-^C: {IDB,upkB,RB} 

C^B : {IDc, upkc, RcTcB = c{Rb + Hi{IDb\\Rb)Po)} 
B^C:Tbc = h{Rc + Hi{IDc\\Rc)Po). 

(3) A computes: 

^ABC = aP + saTba + saTca = aP + bP + cP = {a + b + c)P 
kABC = K^aTba, SaTcaT = e{bP, cPf = e{P, Pf"^ 
klsc = eC^pkn, upkcf^ = e(P, PfAXEXc _ 
B computes: 

kABC ^bP + sbTab + sbTcb = bP + aP + cP = (a + b + c)P 
kABC = KsbTab, sbTcb)' = eiaP, cPf = e{P, Pf"^ 
kABC = e^upkA^upkcf" = e{P,PY^^BXc_ 
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C computes: 

kABC ^cP + scTac + scTbc = cP + aP + bP={a + b + c)P 
kABC = eiscTAc, scTbcY = e(aP, hPf = e{P, P)""^ 
^ABC = eiupkA^upkBY"^ = eiP^Pf^'^BXc _ 

After the protocol has finished, all three entities share the session key, 
which is computed as 

K = H2{IDA\\IDB\\IDc\\upkA\\upkB\\upkc\\TAB\\TAc\\TBA\\TBc\\TcA\\TcB 
{a + b + c)P\\e{P, P)"''"'\\e{P, PfAXBXcy 

4-2. KCI attack by a malicious KGC 

Suppose the full private key {sa-, Ra, ^a) of an entity A is compromised by 
a malicious KGC (say S). Obviously, S is now able to impersonate the cor- 
rupted party to any other party. However, it is also desirable that knowledge 
of the full private key does not enable S to impersonate other entities to the 
corrupted party. Accordingly, in a three-party key agreement protocol, a KCI 
attack can be an attack whereby S, with A's long-term private key at hand, 
attempts to establish a valid session key with A and B by masquerading as 
another legitimate entity (say C). 

A detailed description of KCI attack by a malicious attack against the 
XCL-12 protocol is outlined below {S{C) denotes that S is impersonating C). 
We note that a malicious KGC knows the partial key {sc, Rc) of C since the 
user's partial key is generated by him, however, he cannot know the secret 
value xc of C. 

(1) A,B,8{C): choose a, 6, c' G Z*. 

(2) A^B, £{C) : {ID A, upkA, Ra] 

B^A: {IDB,upkB, Rb,Tba = &(^a + Hi{IDa\\Ra)Po)} 
£{C) ^ A : {IDc, upkc, Rc, Tca = c'{Ra + H^{IDa\\Ra)Po)} 
A^B:Tab = a{RB + Hi{IDb\\Rb)Po) 
A ^ S{C) : Tac = a{Rc + H^{IDc\\Rc)P^) 
B-^S{C) : {IDB,upkB,RB} 

8{C) ^ B : {IDc, upkc, RcTcB = c'{Rb + H^{IDb\\Rb)Po)] 
B ^ £{C) : Tbc = h{Rc + H^{IDc\\Rc)Po)- 

(3) A and B compute the session key according to the protocol specification. 
S{C) computes the session key as follows. 

kABC = CP + scTac + saTba = c'P + aP + bP={a + b + c')P 
k\BC = e{scTAc, saTbaY = e(aP, bPf = e(P, P)«^^' 
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kABC = e{wkB, upkcY^ = e(P, PY^xexc 

K = H^{IDA\\IDB\\IDc\\upkA\\upkB\\upkc\\TAB\\TAc\\TBA\\TBcW^ 
(a + 6 + c')P\\e{P, P)"'"^'! |e(P, PfAXBXcy 

So £ successfully agrees a session key X with entity A and 5 while A and -B 
believes he is sharing the key with entity C. Thus KCI attack by a malicious 
KGC is successful. 

4.3. KCI Attack by a common adversary 

Suppose that A's full private key {sa-,Ra^xa) and S's full private key 
[sbi Rb, Xb) have been compromised. Obviously, A is now able to imperson- 
ate the corrupted party to any other party. However, it is also desirable that 
knowledge of the full private key does not enable A to impersonate other 
entities to the corrupted party. Accordingly, in a three-party key agreement 
protocol, a KCI attack can be an attack whereby A, with A's long-term pri- 
vate key and i?'s long-term private key at hand, attempts to establish a valid 
session key with A and B by masquerading as another legitimate entity (say 
C). 

A detailed description of KCI attack by a common adversary against the 
XCL-12 protocol is outlined below {A{C) denotes that A is impersonating 
C). 

(1) A,B,A{C): choose a,b,c" G Z*. 

(2) A^B, A{C) : {IDa, upkA, Ra} 

B-^A: {IDb, upkB, Rb, Tba = KRa + H^{IDa\\Ra)Po)} 
A{C) ^ A : {IDc,upkc,Rc,TcA = (/'{Ra + H,{IDa\\Ra)Po)} 
A^B:Tab^ a{RB + H^{IDb\\Rb)Po) 
A ^ A{C) : Tac = a{Rc + H,{IDc\\Rc)Po) 
B^A{C) : {IDB,upkB,RB} 

A{C) -> B : {IDc,upkc,Rc,TcB = c"{Rb + H,{IDb\\Rb)Po)} 
B -> A{C) : Tbc = b{Rc + Hi{IDc\\Rc)Po)- 

(3) A and B compute the session key according to the protocol specification. 
A{C) computes the session key as follows. 

f^ABC = c"P + sbTab + saTba = d'P + aP + bP^{a + b + d')P 
klsc = K^bTab, saTbaY" = e(aP, bPY" = e(P, PY'"" 

k^BC = e{upkB,upkcY^ = e{P, PY^''^''^ 

K = H2{IDA\\IDB\\IDc\\upkA\\upkB\\upkc\\TAB\\TAc\\TBA\\TBc\\TcA\\TcB\\ 
{a + b + c')P\\e{P, PY'"''\\e{P, P)^-*^^^^). 
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So A successfully agrees a session key K with entity A and B while A and B 
believes lie is sharing the key with entity C. Thus KCI attack by a common 
adversary is successful. 

4-4- Our improvement 

Informally saying, the XCQ-12 protocol cannot resist two types of KCI 
attacks is because the inappropriate design of shared values k\^Q, k^^Q and 
k\^Q makes that the session key does not depend on all three parties' partial 
private keys, secret values, and ephemeral secrets. To make up the security 
weaknesses, we give an efficient improvement as follows which modifies the 
three shared values. 

• Setup, PartialKeyGen and UserKeyGen: These three phases are the 
same as those in Section 4.1. 

• Key Agreement: This phase is the same as that in Section 4.1 except 
that the following computations. 

A computes 

kABC = aP + saTba + saTca = aP + bP + cP = {a + b + c)P 

kABC = eisATBA+RB+H^iIDB\\RB)Po,SATcA+Rc+Hi{IDc\\Rc)Poy^''^' 

= e( P, P)('='+^A^)(^+«s')(c+'*c') 
k\^^ = e{sATBA + upkB, saTca + upkcY^^^ = e(P, p)(^+^A){b+XB)(c+xc) 
B computes 

k\sc = bP + sbTab + sbTcb = bP + aP + cP = {a + b + c)P 

kABC = e{sBTAB+RA+H,{IDA\\RA)Po,SBTcB+Rc+H,{IDc\\Rc)Pof^'~^' 

= e( P, P)(«+«i')(^+«s')(c+«c') 

kABC = K^bTaB + UpkA, SbTcb + Upkcf""" = e(P, P){-+-A){b+xs)(.c+xc) 

C computes 

kABC = cP + scTac + scTbc = cP + aP + bP = {a + b + c)P 

kABC = e{scTAc + RA+Hi{IDA\\RA)Po,scTBC+RB+Hi{IDB\\RB)Poy^'^' 

= e( P, P)("+^a')(''+«b')(c+«c') 

kABC = K^cTaC + UpkA, ScTbc + UpkBY^''^ = e(P, P){^+^A){b+XB){c+xc) _ 

After the protocol has finished, all three entities share the session key, which 
is computed as 

K = H2{IDA\\IDB\\IDc\\upkA\\upkB\\upkc\\TAB\\TAc\\TBA\\TBc\\TcA\\TcB 

(^d I) c)P\\e{P, P)("+*A^)(''+«s^)(c+«c^)||e(P, P){«+^A)(6+a:s)(c+a;c))_ 
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With this modification, the improved protocol can withstand two types 
of KCI attacks due to the following reasons. 

As we know, a malicious KGC can know partial private keys {sa, Ra),{sb, Rb) 
and (sc, Rc)- Suppose the full private key {sa, Ra, xa) of an entity A is com- 
promised by a malicious KGC. Then if he want to impersonate C to ^4 and 
B, he would have to compute k\^(j = e{scTAc + ^aP, scTbc + upksY _ 
However, without the knowledge of a and the malicious KGC cannot 
compute ^ABC since he must know h and Xb which is not permitted. 

Suppose that A's full private key {sa.Ra-,^ a) and 5's full private key 
{sb,Rb,xb) have been compromised by an adversary A. Then if he want to 
impersonate C to A and B, he would have to compute fc^^^ = c^sbTab + 
s^'P,SATBA + sfPY"+'c" and k\j,c = eissTAB + xaP, saTba + XBPy"+^'=' . 
However, without the knowledge of a and b, A cannot compute k^^^j and 
^ABC since he must know sc and xc which is not permitted. 

Furthermore, our improved protocol is as efficient as the XCQ-12 protocol 
since only 4 point additions are increased. 



5. Conclusion 

In this paper, we have indicated that Xiong et al.'s protocol [15] suffers 
from FS attack, KCI attack and an attack by adversaries who know all users' 
secret values, and proposed a simple improvement to remove these flaws. We 
also have indicated that Xiong et al.'s protocol 16| cannot resist two types 
of KCI attacks and proposed an efficient improvement to remove these flaws. 
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